Tuesday, April 29, 2003

(ISC)2 Developments

I learned the NSA is teaming up with (ISC)2 to create the Information Systems Security Engineering Professional (ISSEP) certification. According to the press release:


[The] (ISSEP) credential [is] for information security professionals who want to work for NSA, either as employees or outside contractors. The new certification will serve as an extension of the CISSP. . . The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. The ISSEP complements the CISSP by comprehensively addressing the systems engineering side of information security.


I like the idea of addressing security "systems engineering," if they follow the ideas of Ross Anderson. I don't find the "government regulations" aspect appealing.


On 16 Apr ISC(2) announced two "concentrations" for CISSPs: "the CISSP, Management Concentration and CISSP, Architecture Concentration." From the press release:


The CISSP Management Concentration validates extensive knowledge in the following areas of the CBK:


  • Enterprise Security Management Practices

  • Enterprise-wide Systems Development Security

  • Operations Security Compliance

  • Business Continuity Planning, Disaster Recovery Planning and Continuity of Operations Planning

  • Law, Investigation, Forensics and Ethics


The CISSP Architecture Concentration validates extensive knowledge in the following areas of the CBK:

  • Access Control, Telecommunications and Methodology

  • Telecommunications and Network Security

  • Cryptography

  • Requirements Analysis and Security Standards/Guidelines Criteria

  • Technology-Related Business Continuity Planning and Disaster Recovery Planning

  • Physical Security Integration


I had hoped one of the concentrations was truly "technical," while the other was "managerial." Seeing "forensics" included with management is a disappointment. The press release states "The first exams for the new CISSP concentrations are scheduled to begin in July 2003, with training classes to begin in the fall."


Beyond the CISSP and its extensions, there's also the SSCP or "Systems Security Certified Practitioner," for people with one year's experience. It was announced 28 Mar 01 but doesn't seem to have gotten much traction.

1 comment:

alex said...

So for a person like me who is a begginer in security and wishes to go into the security field, is the SCCP worth it?